Integrated circuit cards are becoming increasingly used for many different purposes in the world today. An IC card typically is the size of a conventional credit card on which a computer chip is embedded. It comprises a microprocessor, read-only-memory (ROM), electrically erasable programmable read-only-memory (EEPROM), an Input/Output (I/O) mechanism and other circuitry to support the microprocessor in its operations. An IC card may contain one or more applications in memory. An application loader is the entity which loads the application on the card. The application loader may be the actual developer of the application or may be a third party.
MULTOS(trademark) is a multiple application operating system which runs on IC cards, among other platforms, and allows multiple applications to be executed on the card itself. This allows a card user to run many programs stored in the card (for example, credit/debit, electronic money/purse and/or loyalty applications) irrespective of the type of terminal (i.e., ATM, telephone and/or POS) in which the card is inserted for use. Of utmost importance in using such a card is security, and the operator of a card system enables cards to securely communicate with terminals or other cards. The operator also manages application loading and deleting from cards and the cryptographic keys which make the system secure.
IC cards typically have limited storage capacity due to the size and cost restraints of locating memory on the card. Applications for multi-application smart cards are written in a programming language and are typically stored in the EEPROM whose contents can be changed during the lifetime of the card. One example of a programming language used in IC cards is Multos Executable Language (MEL(trademark)). The MEL program instructions are read from EEPROM when they are executed and are interpreted by the operating system stored in ROM.
The ROM on the IC card includes the operating system written in assembler language code for the particular integrated circuit configuration (native language type code). The operating code stored in ROM is fixed when the ROM is initially written and the information stored in ROM will not change for the life of the card.
Also present in ROM can be subroutines called primitives written in a native language code for the microprocessor which can be called by either the operating system itself or by applications when they are executed. Primitives are written in the native language (i.e. assembler language) so that they can be executed very quicky and minimal interpretation of the instructions is necessary for execution. These primitives are collections of instructions which typically perform a desired function, such as a mathematical or cryptographic function. The instructions are never changed during the lifetime of the card. Any data used or accessed by the primitives are stored in EEPROM so that the contents of the data elements can change as necessary.
In the MULTOS(trademark) system, applications can call primitives stored on the card which then are executed by the operating system. For example, if an application needs to divide two numbers, the application can call the xe2x80x9cdividexe2x80x9d primitive and provide the operands for the function and the primitive will execute the calculation. Every application on the card has the ability to call the divide primitive by executing an xe2x80x9caccess divide primitivexe2x80x9d instruction. While some primitives are necessary to almost all applications, such as basic mathematical formulas or basic data retrievals, some primitives are optional and are intended to be used by only some applications. For example, security related primitives which encrypt/decrypt data may be used by some applications (e.g., a bank application) but not others (e.g., an air miles or entertainment application) due to the needs of the individual application.
Additionally, external considerations may impact the permitted use of some primitives by an application. These considerations would require the operator of the card system to have control over (i.e., prevent) access to certain primitives by individual applications. One such consideration is an individual country""s concerns about strong encryption algorithms for certain types of applications being used in the country and being exported from the country. For example, the United Kingdom may allow an encryption algorithm which is part of a primitive to be exported out of the country if the algorithm is used for a banking function. However, if the encryption algorithm is used on general data such as health information, the United Kingdom""s public policy may dictate that the encryption algorithm cannot be used outside its borders. Thus, it would be advantageous to disable the encryption primitive for that application if a country""s laws prohibit that type of data being encrypted and exported. This selective enabling of primitives for individual applications would be a powerful mechanism to control the card system.
There are other reasons to provide selective access to different primitives. Specifically, it would be desirable to have an access check for different primitives to selectively enable primitives depending upon the needs of the card system operation and/or of the providers of the applications which run on the system. For example, an I/O port xe2x80x9caccess flagxe2x80x9d could be checked when a selected primitive is called. Most IC cards currently can exchange information with a terminal by physically connecting an I/O port on the card with the terminal. The contacts located on the card are physically pressed against the terminal contacts so that an electrical signal can pass between the card and terminal. Recent developments allow an IC card to communicate with a terminal without establishing a physical contact between the card and the terminal. The exchange of information is established by radio frequency (RF) waves, cellular signals or other transmitted signal. For contactless cards an antenna is present on the card to transmit and receive the transmission signals. IC cards can contain both the physical contacts and the antennas for wireless communication. Although transferring information in a contactless or wireless manner is advantageous to the card holder by expediting the overall transaction time, the transmission signals are more susceptible to interception by a third party than if a physical connection were made. As a result, the operator of the card system may want to limit particular application programs such as financial transactions to physical connections.
Therefore, it is an object of the invention to provide a multi-application card with the ability to control access to the primitives and to allow the card system operator to enable or disable or prevent access to a primitive for a particular application.
The applicants have thus invented a system and method for controlling access to computer code and specifically to primitives embedded on a multi-application IC card. The applicants have determined that one way to achieve this objective is by use of xe2x80x9caccess flags,xe2x80x9d which, as explained in more detail below, are set in bits for indicating either that a primitive (e.g., an encryption primitive) is accessible to a particular application (if, for example, the bit is set at 1) or it is not (if the bit=0). In the case of an encryption-related primitive, the xe2x80x9caccess flagxe2x80x9d may be referred to as a xe2x80x9ccrypto flag.xe2x80x9d
Access flags related to I/O could also be used to prevent access to the contactless primitives for financial applications. The I/O access flags would be controlled and set by the card system operator and loaded onto the card by the application loader at the time the application is loaded onto the card. This access flag would allow the operator of the card system to prevent a financial or other selected application from using the contactless primitive and thus a physical connection would be required for terminal communication.
Access flags which are stored on the card and checked by the operating system allow the operator of the card system to control access to selective primitives or other subroutines by checking the status of the access flag prior to executing the primitive or subroutine. Other subroutines such as codelets (subroutines written in an application language such as MEL), subroutines in the operating system itself or other types of subroutines could also have associated access flags. The checking of the access flag is preferably performed by the operating system when a specific subroutine call instruction is executed by an application or other instruction. Depending upon the results of the access flag check, the application either executes the primitive or subroutine in question or performs another series of instructions if access is denied.
The access flags are stored with application control data which is stored in EEPROM when the application is loaded onto the card. Preferably, the flag""s default setting is to xe2x80x9cnot enabledxe2x80x9d prior to loading but the operator of the card system can set the flag to a logic xe2x80x9c1xe2x80x9d to indicate xe2x80x9cenabledxe2x80x9d if desired. For example, if an application is programmed to call a strong encryption subroutine in Country B which is outside of Country A where the algorithm was developed, the application provider might be required by the card system operator to show a certificate from the country where the card will be used showing that the application provider received permission from the government of Country A (export license) and Country B (use license) to use the encryption primitive. Upon showing of the certificate, the card operator enables the access flag bit. In this case, the xe2x80x9caccess flagxe2x80x9d could be termed a xe2x80x9ccrypto flagxe2x80x9d because it relates to encryption.